sys_macosx: drop root privileges

Run chronyd as a non-privileged user, using the privops helper to perform adjtime(), settimeofday() and bind() functions on its behalf.
2025-12-07 08:15:06 -05:00 · 2015-11-24 21:01:59 +13:00
parent 139fc667aa
commit 750d82f1d1
7 changed files with 61 additions and 9 deletions
--- a/chronyd.8.in
+++ b/chronyd.8.in
@@ -103,7 +103,12 @@ This option sets the name of the system user to which \fBchronyd\fR will switch
 after start in order to drop root privileges.  It overrides the \fBuser\fR
 directive (default \fB@DEFAULT_USER@\fR).  It may be set to a non-root user
 only when \fBchronyd\fR is compiled with support for Linux capabilities
-(libcap) or on NetBSD with the \fB/dev/clockctl\fR device.
+(libcap), on NetBSD with the \fB/dev/clockctl\fR device or on Mac OS X.
+
+In the Mac OS X implementation \fBchronyd\fR forks into two processes.  The
+child process retains root privileges but can only perform a very limited range
+of privileged system calls on behalf of the parent.  The parent process drops
+root privileges to run as the specified system user.
 .TP
 \fB\-F\fR \fIlevel\fR
 This option configures a system call filter when \fBchronyd\fR is compiled with